bazarbackdoor | 8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

max time kernel
230s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 00:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

dl2.exe
Size

849KB
MD5

c2055b7fbaa041d9f68b9d5df9b45edd
SHA1

e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA256

342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
SHA512

18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
SSDEEP

12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Score

10^/10

bazarbackdoor backdoor bootkit discovery persistence

Malware Config

Signatures

BazarBackdoor 64 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

description	flow	ioc	Process
	178	zirabuo.bazar	Process not Found
	180	zirabuo.bazar	Process not Found
	191	zirabuo.bazar	Process not Found
	204	zirabuo.bazar	Process not Found
	208	zirabuo.bazar	Process not Found
	222	zirabuo.bazar	Process not Found
	242	zirabuo.bazar	Process not Found
	198	zirabuo.bazar	Process not Found
	209	zirabuo.bazar	Process not Found
	214	zirabuo.bazar	Process not Found
	224	zirabuo.bazar	Process not Found
	230	zirabuo.bazar	Process not Found
Key created		\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
	213	zirabuo.bazar	Process not Found
	217	zirabuo.bazar	Process not Found
	220	zirabuo.bazar	Process not Found
	175	zirabuo.bazar	Process not Found
	181	zirabuo.bazar	Process not Found
	212	zirabuo.bazar	Process not Found
	226	zirabuo.bazar	Process not Found
	238	zirabuo.bazar	Process not Found
	184	zirabuo.bazar	Process not Found
	202	zirabuo.bazar	Process not Found
	205	zirabuo.bazar	Process not Found
	229	zirabuo.bazar	Process not Found
	236	zirabuo.bazar	Process not Found
	194	zirabuo.bazar	Process not Found
	206	zirabuo.bazar	Process not Found
	233	zirabuo.bazar	Process not Found
	240	zirabuo.bazar	Process not Found
	179	zirabuo.bazar	Process not Found
	192	zirabuo.bazar	Process not Found
	197	zirabuo.bazar	Process not Found
	243	zirabuo.bazar	Process not Found
	177	zirabuo.bazar	Process not Found
	188	zirabuo.bazar	Process not Found
	190	zirabuo.bazar	Process not Found
	210	zirabuo.bazar	Process not Found
	218	zirabuo.bazar	Process not Found
	219	zirabuo.bazar	Process not Found
	231	zirabuo.bazar	Process not Found
	232	zirabuo.bazar	Process not Found
	193	zirabuo.bazar	Process not Found
	201	zirabuo.bazar	Process not Found
	207	zirabuo.bazar	Process not Found
	211	zirabuo.bazar	Process not Found
	227	zirabuo.bazar	Process not Found
	228	zirabuo.bazar	Process not Found
	235	zirabuo.bazar	Process not Found
	239	zirabuo.bazar	Process not Found
	189	zirabuo.bazar	Process not Found
	203	zirabuo.bazar	Process not Found
	223	zirabuo.bazar	Process not Found
	215	zirabuo.bazar	Process not Found
	225	zirabuo.bazar	Process not Found
	199	zirabuo.bazar	Process not Found
	241	zirabuo.bazar	Process not Found
	176	zirabuo.bazar	Process not Found
	182	zirabuo.bazar	Process not Found
	200	zirabuo.bazar	Process not Found
	216	zirabuo.bazar	Process not Found
	221	zirabuo.bazar	Process not Found
	183	zirabuo.bazar	Process not Found
	185	zirabuo.bazar	Process not Found

Downloads MZ/PE file

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
226	zirabuo.bazar
227	zirabuo.bazar
190	zirabuo.bazar
197	zirabuo.bazar
211	zirabuo.bazar
216	zirabuo.bazar
194	zirabuo.bazar
220	zirabuo.bazar
239	zirabuo.bazar
193	zirabuo.bazar
195	zirabuo.bazar
232	zirabuo.bazar
221	zirabuo.bazar
234	zirabuo.bazar
179	zirabuo.bazar
191	zirabuo.bazar
212	zirabuo.bazar
219	zirabuo.bazar
230	zirabuo.bazar
242	zirabuo.bazar
244	zirabuo.bazar
175	zirabuo.bazar
203	zirabuo.bazar
207	zirabuo.bazar
218	zirabuo.bazar
178	zirabuo.bazar
208	zirabuo.bazar
225	zirabuo.bazar
198	zirabuo.bazar
217	zirabuo.bazar
177	zirabuo.bazar
202	zirabuo.bazar
215	zirabuo.bazar
222	zirabuo.bazar
192	zirabuo.bazar
233	zirabuo.bazar
235	zirabuo.bazar
243	zirabuo.bazar
224	zirabuo.bazar
229	zirabuo.bazar
182	zirabuo.bazar
184	zirabuo.bazar
188	zirabuo.bazar
204	zirabuo.bazar
205	zirabuo.bazar
180	zirabuo.bazar
181	zirabuo.bazar
186	zirabuo.bazar
200	zirabuo.bazar
176	zirabuo.bazar
206	zirabuo.bazar
236	zirabuo.bazar
228	zirabuo.bazar
240	zirabuo.bazar
185	zirabuo.bazar
199	zirabuo.bazar
210	zirabuo.bazar
214	zirabuo.bazar
201	zirabuo.bazar
209	zirabuo.bazar
183	zirabuo.bazar
213	zirabuo.bazar
231	zirabuo.bazar
237	zirabuo.bazar

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	FreeYoutubeDownloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	FreeYoutubeDownloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 28 IoCs

pid	Process
5332	Alerta.exe
4728	Alerta.exe
3052	ClassicShell.exe
2296	ClassicShell.exe
2112	FreeYoutubeDownloader.exe
2596	FreeYoutubeDownloader.exe
64	Free YouTube Downloader.exe
980	Free YouTube Downloader.exe
4408	FreeYoutubeDownloader.exe
1492	FreeYoutubeDownloader.exe
5116	Gas.exe
4152	Gas.exe
6120	Gas.exe
5132	Gas.exe
1940	MEMZ.exe
5360	MEMZ.exe
5156	MEMZ.exe
920	MEMZ.exe
1128	MEMZ.exe
4744	MEMZ.exe
824	MEMZ.exe
5932	MEMZ.exe
3832	MEMZ.exe
4340	MEMZ.exe
4884	MEMZ.exe
1076	MEMZ.exe
5172	MEMZ.exe
5384	MEMZ.exe

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.32.160.206
Destination IP	139.59.208.246
Destination IP	35.196.105.24
Destination IP	198.251.90.143
Destination IP	89.18.27.167
Destination IP	162.248.241.94
Destination IP	185.117.154.144
Destination IP	66.70.211.246
Destination IP	51.254.25.115
Destination IP	193.183.98.66
Destination IP	193.183.98.66
Destination IP	5.132.191.104
Destination IP	147.135.185.78
Destination IP	94.177.171.127
Destination IP	45.71.112.70
Destination IP	46.28.207.199
Destination IP	91.217.137.37
Destination IP	146.185.176.36
Destination IP	192.52.166.110
Destination IP	104.238.186.189
Destination IP	104.37.195.178
Destination IP	158.69.160.164
Destination IP	77.73.68.161
Destination IP	212.24.98.54
Destination IP	217.12.210.54
Destination IP	82.141.39.32
Destination IP	185.208.208.141
Destination IP	212.24.98.54
Destination IP	111.67.20.8
Destination IP	87.98.175.85
Destination IP	35.196.105.24
Destination IP	162.248.241.94
Destination IP	77.73.68.161
Destination IP	185.164.136.225
Destination IP	217.12.210.54
Destination IP	45.32.160.206
Destination IP	51.254.25.115
Destination IP	139.99.96.146
Destination IP	66.70.211.246
Destination IP	193.183.98.66
Destination IP	176.126.70.119
Destination IP	104.37.195.178
Destination IP	5.135.183.146
Destination IP	81.2.241.148
Destination IP	163.53.248.170
Destination IP	46.101.70.183
Destination IP	91.217.137.37
Destination IP	167.99.153.82
Destination IP	5.135.183.146
Destination IP	50.3.82.215
Destination IP	158.69.160.164
Destination IP	69.164.196.21
Destination IP	198.251.90.143
Destination IP	142.4.205.47
Destination IP	5.45.97.127
Destination IP	158.69.239.167
Destination IP	192.99.85.244
Destination IP	158.69.239.167
Destination IP	81.2.241.148
Destination IP	5.45.97.127
Destination IP	89.35.39.64
Destination IP	51.255.211.146
Destination IP	82.196.9.45
Destination IP	185.164.136.225

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
149	raw.githubusercontent.com
150	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ClassicShell.exe
File opened for modification	\??\PhysicalDrive0	ClassicShell.exe
File opened for modification	\??\PhysicalDrive0	MEMZ.exe
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClassicShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClassicShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Free YouTube Downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alerta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alerta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{320B3E6B-199E-41AC-A45E-D175B0F74921}	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 872195.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 716534.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 415220.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 547805.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 980549.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4324	msedge.exe
4324	msedge.exe
4732	identity_helper.exe
4732	identity_helper.exe
5332	msedge.exe
5332	msedge.exe
5024	msedge.exe
5024	msedge.exe
6092	msedge.exe
6092	msedge.exe
5812	msedge.exe
5812	msedge.exe
2224	msedge.exe
2224	msedge.exe
5384	msedge.exe
5384	msedge.exe
5384	msedge.exe
5384	msedge.exe
4988	msedge.exe
4988	msedge.exe
5156	MEMZ.exe
5156	MEMZ.exe
5156	MEMZ.exe
1128	MEMZ.exe
5156	MEMZ.exe
1128	MEMZ.exe
920	MEMZ.exe
920	MEMZ.exe
1128	MEMZ.exe
920	MEMZ.exe
1128	MEMZ.exe
920	MEMZ.exe
5156	MEMZ.exe
5156	MEMZ.exe
5156	MEMZ.exe
920	MEMZ.exe
920	MEMZ.exe
5156	MEMZ.exe
1128	MEMZ.exe
1128	MEMZ.exe
824	MEMZ.exe
824	MEMZ.exe
4744	MEMZ.exe
4744	MEMZ.exe
1128	MEMZ.exe
824	MEMZ.exe
1128	MEMZ.exe
824	MEMZ.exe
5156	MEMZ.exe
5156	MEMZ.exe
920	MEMZ.exe
920	MEMZ.exe
5156	MEMZ.exe
920	MEMZ.exe
920	MEMZ.exe
5156	MEMZ.exe
824	MEMZ.exe
1128	MEMZ.exe
824	MEMZ.exe
1128	MEMZ.exe
4744	MEMZ.exe
4744	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
980	Free YouTube Downloader.exe
64	Free YouTube Downloader.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
980	Free YouTube Downloader.exe
64	Free YouTube Downloader.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3120	dl2.exe
1200	dl2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 2472	4324	msedge.exe	102
PID 4324 wrote to memory of 2472	4324	msedge.exe	102
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 3016	4324	msedge.exe	103
PID 4324 wrote to memory of 4788	4324	msedge.exe	104
PID 4324 wrote to memory of 4788	4324	msedge.exe	104
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105
PID 4324 wrote to memory of 4444	4324	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3120

C:\Users\Admin\AppData\Local\Temp\dl2.exe
C:\Users\Admin\AppData\Local\Temp\dl2.exe {FA29468C-A0EE-4AFC-9BAE-8B8A57F5BE14}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- BazarBackdoor
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac6cf46f8,0x7ffac6cf4708,0x7ffac6cf4718
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6448 /prefetch:8
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Users\Admin\Downloads\Alerta.exe
  "C:\Users\Admin\Downloads\Alerta.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5332
- C:\Users\Admin\Downloads\Alerta.exe
  "C:\Users\Admin\Downloads\Alerta.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6628 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6092
- C:\Users\Admin\Downloads\ClassicShell.exe
  "C:\Users\Admin\Downloads\ClassicShell.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Users\Admin\Downloads\ClassicShell.exe
  "C:\Users\Admin\Downloads\ClassicShell.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5812
- C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe
  "C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2112
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:64
- C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe
  "C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2596
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:980
- C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe
  "C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4408
- C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe
  "C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3652 /prefetch:8
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\Users\Admin\Downloads\Gas.exe
  "C:\Users\Admin\Downloads\Gas.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5116
- C:\Users\Admin\Downloads\Gas.exe
  "C:\Users\Admin\Downloads\Gas.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6084 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5384
- C:\Users\Admin\Downloads\Gas.exe
  "C:\Users\Admin\Downloads\Gas.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6120
- C:\Users\Admin\Downloads\Gas.exe
  "C:\Users\Admin\Downloads\Gas.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,12715515406322254991,13161326894449418974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1940
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3832
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4340
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4884
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1076
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5172
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:5384
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:448
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5360
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5156
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:920
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1128
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4744
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:824
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:5932
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:1748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b17cb822a4fff214cee8bb528f6f833e

SHA1
41aa8c08afafe4c3e8fa45c02e4e4f35ae7f8c85

SHA256
a8cda03e732eddc7d9d8ef78da7a1d091f7fa8e86799222e61c9f3a28a0919a3

SHA512
55a2f45508eb3f2ab21a7c7ec9c20261630ef3c4d1495c1a69fcbb28ddbc9ce5289d3229b44693a7c0bf7086a2c4db2529193b35be1d72297c0b28ec028a2cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
cac334a5da5240195bec406d74bf004c

SHA1
4823f5ba7eb97a2c81db30fd147897c3de0ebebb

SHA256
230c4e5aabc7a548781dffb583eaf3f0ce3d448ee0c38b448512be7014929495

SHA512
4f3533cf943f42cf66cc63252de7de0f15519154be1215ab8c7ed1547b7bae942289b65928859462f26ba1ad1af3f6e8239540d6d3e0bb1b14852df6ee6911d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
37e202d370267a2524520d4eef41ffe3

SHA1
90b91b3449d05c47a7fd69b39add8d2ac6c88b12

SHA256
e4671dfbc6efe858dd466d92d23aa035d03f5b95e388f9c2936e6f20cb9e825b

SHA512
477d54dd2c1e1d6c3de2071d08aedd15b21ced2213cbe4667d134bdcb37e003c0bb8bca1a2228225d3dae35fc8a0d190b693248c40f722a8b50f330b0aab8f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b9bcda18785cf5f988b52302459c3fdd

SHA1
5234ea1efd19264d874ed721319d3216a0f48e50

SHA256
4eaa1d3173a0854aac9453dfb8acd372e74aae8968bce11dbc5621b9a7260b70

SHA512
ed6a2179d621ad4dfd5fe300c461c2b0104d8076a30752d98b65f04e15d8e35bc5fb4ce8c2e7323720d8f0cbb50ebe540653af3ceffb67e8755f0d0d05578b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a2c8696ad4cfd375f7b0233e3f107799

SHA1
24ce27cc4b0c3f02ab23dd494966e5e040435ba8

SHA256
be8c3df1b4d58f189995b44050f13ff291aa9d4a7baa0c544f33e8f070b9b21a

SHA512
9c7fc69f136ac04750f5f324b8bff3110c51d57a7ac147788e71e8d59977560615b6e12989914b6ea86a42d054cb0d3888ff0bc09cd5682615359ee0da6288ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6182eca7cf8f0ff603c9a954468e8f13

SHA1
750188d18439db33b8014866d21cb6a111ce604a

SHA256
56909ebd8518c9da1f0b213cc62c1cca7aed535020acb8acfe9bc6951088c46e

SHA512
10dad92208ce34644bb6e55f77fd29188fbdd8bffead46f946bbed74b29ff31de91d7e17ee447707453bb54c52ca0bb4b466b021cce906e53ec161ad5221b672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
43a7db9eadf3a6a8a22f2b7c56a79d92

SHA1
519fa886e82cbcb903c376994362901f5124488f

SHA256
52faac759cb3c49fefd0be25942378ffe06651c95b9963f898f7ec4f47597e0c

SHA512
cf2c699adebff835f25f676e987dcf4ab4d858e2da0f0ea8b61477a14f5e5c760fac5fa272f90dd5de20824104a82503221d5a1fb7a5ea65f19d660810e5cd3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3291f9b38254e2d8975c520d3a378f30

SHA1
03a2e7e0fc811c85b0407d661def03f4514a8bbb

SHA256
c1ccc17f65ae56f1b87834114a45cf5e79b8e11c6c12b44d9dccf430e65c55f6

SHA512
37d1e276f833c86d8de94e63c791a608569fa3466084498592aa22e3989174cdcc27d4908a95fad158cb2514c7ff5bd74dea52c83301e9256c9ea8dbbe76f6df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f6944299a6bb6cdf36bf32960fd67a7e

SHA1
0c049418871b881c86a60665c1a6c01442aa3068

SHA256
10b976c986f42bff93d20845b3fb39b3e00c936439e79ad86329c7455d357cef

SHA512
6b9dd845bd7b41a288e0f41cbefb4a6cef5decda721fe477747f6f546b2c6067c0270c6256414149d0e70e7ae4ed51ebe8f14e14fd232b50eacf86e586fe43c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a80b2a63513413fb4adeb5782ef16abb

SHA1
4adef6dfb4d85c9b0b433f9fc47428c34d233a2c

SHA256
7f56667b1fdffb58ad5fb0ccef831efedd8b61ceec3527a767d5b101c3f528c4

SHA512
bcaaf00a5f7e3744227ef5e69cb211c86a804820cab16b2e0975e150255c71f293f42592930b1e55bca6862746aa3eabe94e16fb3e0656f0201d6ae3662a957e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6068104ab913e3313f6dc177f6a5c55f

SHA1
3cba91dafbb5d71c9c120793b5b8bf63bdbce7b0

SHA256
e885f8a4d8dc47299f38f7a3e35626163b913e81c3cdb059b1491319cb2e342c

SHA512
31d363397311e6445d00d722ab00aebb897d4269131e421ae1a57a8ade4363aec77255067668e48d9eced95487c816fcd4d9318edaf819ff5d93980c10831c22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
683889e01c5b6b1f26b3a571a33f385a

SHA1
bb46fbcc6ac0229e9f7cc98147f1e822db710f83

SHA256
f09553c9284a3ffc05c9f73f8ba969ffe676fc070aa917459a23767bbfffbb20

SHA512
adc61c07deb1352490eb74a3019d6a2abe2fb704828eff4f53037b71af335758f8a5985366ce65b71d8879438cbd05a1da65b4f526d66e08288650fe9e038fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
676142c2bc8974bb39bcf59676022a12

SHA1
cd63603ca7f104591c1d5f649d968b8df427e058

SHA256
990c22fcc169d92eaf4bca9218c5dd2d5d384451d843e06432f60fefe42a5bb4

SHA512
95f3f0d13bf213339e6d08844b9d1dee4031f13e5dbb02a28e8719eeb8fed02778648ce0b3a55cef84be6118a8c7f4a10750dca7e9cf8525a5661ba81ff0fb7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
39b28af55871d6f43440516b09af7ee9

SHA1
2b30559fc6bbe4e601b1c421e975987fa5a2496f

SHA256
42851efcd7a6650574bb45a7b9da6b3b70b2773593674cf5d09a74f92b68a277

SHA512
8efadca9829806c148aa358bac058bcd9316f9b6e7d7c719ff4aae3cb51b0ad86eee9e3b750977cf8d7efa26d12992bc869f251f7a3d80be27dceecef6507836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c57e.TMP

Filesize
536B

MD5
88f3713163439ad1322702864c24d0ea

SHA1
81317ac4d59ce15c60b37dd714e2e94d4ad93fe5

SHA256
8d575ed3e61088316babaa729af862eecbc9f4c1700e48f0480965bfc55b0f16

SHA512
6506b4473a9d53316e1192b6a72e71288ac21d9aad5065404eb1ac0683b6e6351d481e57375d30a1f1f849f942e1f3c5a64bc820c1efdc363ceae622f990b260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c01e33c78bcefd600f73674141207750

SHA1
ffe0b67ac2fcf8ecf614eef03c6f8ac6d9140a47

SHA256
ae5c19c828fc5643c54684ae5ac09b77a10620b63fb3aca802f0f5dac886c65d

SHA512
5e46cd5d4c6168079d44da22a56ac58fb57c367e658390280a43988f54e0e119871c848a04c42da90db546a074f6c5cc881bfa3660530d5b2ed486b86a4fcb43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c4d385b18d15996d974bd06002a6a234

SHA1
703a6060f1ede315298f5e8f2d3d8d27799f50f5

SHA256
5454e9665b436257a825ef296784f8bbd875aa5afa72514292f718d8d4fdbaa5

SHA512
8dd65732e81ba3f99b7fff6aa914dac442aa36e5574f8a2b8b5b5280f2e1e5841c2e4514f8a6bb33594543e399bd42f869ee9cd2e8f08f3d79937bcaf05cef7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b996ad3601247a15c4bf24ba6fabc5c4

SHA1
f445779e1aa1131dfa6794ecb5a869b0ead78c29

SHA256
c80eeba5b1615468d167d504127a338dc86fdf4195763251ad913e924378c675

SHA512
c48bc0ee185f43fa770b1844e04d70c9c72298b6bb9f90fd3c06cb196db2d29e0fb1e44a1545899d67371ed2d4a1ccab8d41cb1091328c4d0cacbec0eace8f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
36520ae3afd8afed15cb8a970c944f34

SHA1
ebc9fcfe3c6e95eeaee71c78c3a3b846b205417c

SHA256
e1ffaaa25c8b06d9d963d6ff700342d5b4e3fc6fa998b86a1d808631912a7a3c

SHA512
dd98f40746fffa044f386febc7587979bd4dbaa03545ba78cb36c86db81d91d40e23262ec02606ac5b3bd6e04b5d5f4d751642a4a8bd674defb17a1799b8ad5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
17bf5bc85fb8ab58994e1cc62b73edd9

SHA1
a76a7ced5ac8f68e0dc3582b91c9ee09b3bc8f4b

SHA256
56f4ceaf7b9bda0c1fe45d5a7f4230461daabec305c40385c93cc23118827952

SHA512
06edf16dc4a3f9e907a133b4948f48f9e152414bb949961069b81f13784050517c014b0b78ec99d771cc635c6b0a0c64f11b23e0556288141590267a48f6ec6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
36B

MD5
8708699d2c73bed30a0a08d80f96d6d7

SHA1
684cb9d317146553e8c5269c8afb1539565f4f78

SHA256
a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f

SHA512
38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\temp_0.tmp

Filesize
176KB

MD5
bc82784f4aa47bcfed93e81a3b9950f2

SHA1
f5f2238d45733a6dde53c7b7dfe3645ee8ae3830

SHA256
dd47684334f0a2b716e96f142e8915266d5bc1725853fd0bdc6d06148db6167f

SHA512
d2378f324d430f16ce7dcf1f656b504009b005cdb6df9d5215fe0786c112e8eba8c1650a83192b6a9afad5892a1a456714665233f6767765619ccb5ff28e2b8a

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 415220.crdownload

Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 547805.crdownload

Filesize
18KB

MD5
e7af185503236e623705368a443a17d9

SHA1
863084d6e7f3ed1ba6cc43f0746445b9ad218474

SHA256
da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a

SHA512
8db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 716534.crdownload

Filesize
6.8MB

MD5
c67dff7c65792e6ea24aa748f34b9232

SHA1
438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e

SHA256
a848bf24651421fbcd15c7e44f80bb87cbacd2599eb86508829537693359e032

SHA512
5e1b0b024f36288c1d2dd4bc5cf4e6b7d469e1e7e29dcef748d17a92b9396c94440eb27348cd2561d17593d8c705d4d9b51ae7b49b50c6dee85f73dec7100879

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 872195.crdownload

Filesize
111KB

MD5
e8ed8aaf35e6059ba28504c19ff50bab

SHA1
01412235baf64c5b928252639369eea4e2ba5192

SHA256
2d2a22db20a44474afbd7b0e6488690bad584dcae9789a5db776cc1a00b98728

SHA512
d007c96b2fad26763d27be8447ca65e0ab890deb6388b90cf83c0b3431e09b225f7424098927b54f15fe34eae953b61b45371b0df4b2d89c60be9c006ffe9034

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 980549.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

Filesize
438KB

MD5
1bb4dd43a8aebc8f3b53acd05e31d5b5

SHA1
54cd1a4a505b301df636903b2293d995d560887e

SHA256
a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02

SHA512
94c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe

Filesize
110KB

MD5
139df873521412f2aebc4b45da0bc3e9

SHA1
3fd72fd5bad8ee9422fb9efa5f601f6b485404df

SHA256
efe6bd2e0fc7030994fc2837b389da22c52a7b0bbdbd41852fcaf4308a23da10

SHA512
d85cf83d3b2cf9af3076e40d7419be42a561bce1160376ba580b3078b581ed2bd6d274fb2a0767aa81a9e92052762f39c1c391ca0cac3043ad85a72862713bd3

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe

Filesize
110KB

MD5
ab648a0df4fe7a47fe9d980c545b065d

SHA1
ce28ea7dd117289daf467467a592bc304c72d4e6

SHA256
905a849721ec95ab08754aeee9a60b3ed435d36962466fcbe5cfca63dfc455cd

SHA512
7ae99da55fbf1c31c5281e5f4e10ab2bc33b89effeee82b574eb4b60541c5ea2913d5d99836608873da372c78e75436ae7e535568f48d81cb9dd26d2cc1b3a8c

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe

Filesize
110KB

MD5
f6fd80ff64b946c3687f89302fcee091

SHA1
61d92147558e8884403d77d2c4f80068241de100

SHA256
5f1b8a21cb5927ba3eb73ef0bc277d1b9b7c633e2cd9d7d3d56945657b345b96

SHA512
b68c517c5960c2172019b6fc48bb75767a09bd5e8f57775eb5f319164571554ef3e4f328f3c6ede390febb95ea76cd4a2b5db46eb9a2421b221a7f479f6d4981

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini

Filesize
3KB

MD5
c92a1d4d0755c886dd137c6cab43c35e

SHA1
fc16175e58ad1f67c57e7fdf55333fdd0e01d936

SHA256
6ab1ee65e6c9c5e31fe3680fc92a2a0ae73f216e966f5582a2d9c265357238d4

SHA512
0525880a1f4cc7dd912ca4006fe4bd02bf1218931fcb56489a0ec728a682fdf1ecd35e8797c665c63dc19d8236942d9b832a6a8c46e00df02afa2c65327dd9de

Download Submit
memory/64-671-0x0000000005070000-0x000000000507A000-memory.dmp

Filesize
40KB

Download
memory/64-667-0x00000000006A0000-0x00000000006CE000-memory.dmp

Filesize
184KB

Download
memory/64-668-0x0000000005080000-0x000000000511C000-memory.dmp

Filesize
624KB

Download
memory/64-669-0x0000000005720000-0x0000000005CC4000-memory.dmp

Filesize
5.6MB

Download
memory/64-672-0x0000000005360000-0x00000000053B6000-memory.dmp

Filesize
344KB

Download
memory/64-670-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/980-666-0x000001F497020000-0x000001F49704E000-memory.dmp

Filesize
184KB

Download
memory/1200-10-0x0000000000670000-0x00000000006A0000-memory.dmp

Filesize
192KB

Download
memory/1200-17-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/1492-703-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-665-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2296-539-0x0000000000400000-0x0000000000AD8000-memory.dmp

Filesize
6.8MB

Download
memory/2596-664-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3052-538-0x0000000000400000-0x0000000000AD8000-memory.dmp

Filesize
6.8MB

Download
memory/3120-18-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3120-1-0x00000000020D0000-0x0000000002100000-memory.dmp

Filesize
192KB

Download
memory/3120-8-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/4408-707-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads